We have noted a large amount of MIT related email accounts showing up on Darknet forums and in leaks posted to Paste sites.
The information posted includes 98 accounts and additional information. The information is verified as we have been able to get confirmation from several students and staff.
The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.
Tuesday, January 19, 2016
Sunday, January 17, 2016
Credit Suisse accounts start appearing online
We started noticing credit-suisse accounts showing up online this evening. Our system that collects information on compromised accounts started alerting to accounts at the firm. It is not known if the accounts detected are end user accounts or corporate accounts.
Wednesday, January 13, 2016
State of Virginia DHRM fails to respond to notification
On 1-7-2016 a researcher that assist Jigsaw Security noted some issues with documents posted on the DHRM website. A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.
As of the posting of this article the document remains on the web1.dhrm.virginia.gov website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.
We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue.
Thank you for bringing this matter to our attention."
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.
As of the posting of this article the document remains on the web1.dhrm.virginia.gov website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.
We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue.
We we notified them and followed up but no response.
So basically they tried to do the right thing by blocking out personally identifiable information in these documents but the method used was inadequate.
It is unknown of the individuals affected by this issue are still employed by the State of Virginia as we have not received any response to our inquiry.
Hopefully bringing this information to light will prevent this type of information disclosure in the future but the lack of response is troubling.
UPDATE:
As of 14 January, 2016 a response was received indicating that the issue is being corrected.
"DHRM takes any possible data breach very seriously,
and we wanted to notify you that measures are being taken to address
the issue:
·
Removal of the referenced documents and links from
DHRM’s servers so that data is no longer exposed that might impact
employee privacy and security;
·
Software that has proper redacting capability supplied to users;
·
Staff training introduced to ensure that no lapses will occur in the future.
Friday, January 8, 2016
2 Big Stories Next Week
We are currently reviewing 2 issues both of which are confirmed issues of PII and/or PHI data that we uncovered in the course of reading user submissions this week. Both involve some high profile entities of which neither has replied to our request for comments.
We have provided evidence of the issues to both and are awaiting any response.
We have provided evidence of the issues to both and are awaiting any response.